Zscaler scripts¶
Three helpers manage the Zscaler corporate proxy when one is installed. All scripts no-op cleanly when the relevant Zscaler launchd plists are absent — safe on personal machines.
enable-zs¶
Loads the Zscaler service and tunnel launch daemons if they're not already running:
.local/share/scripts/enable-zs (core)
ZSCALER_SERVICE="/Library/LaunchDaemons/com.zscaler.service.plist"
ZSCALER_TUNNEL="/Library/LaunchDaemons/com.zscaler.tunnel.plist"
if [ -f "${ZSCALER_SERVICE}" ] && ! sudo launchctl list | grep 'com.zscaler.service' > /dev/null; then
sudo launchctl load "${ZSCALER_SERVICE}"
started=1
fi
if [ -f "${ZSCALER_TUNNEL}" ] && ! sudo launchctl list | grep 'com.zscaler.tunnel' > /dev/null; then
sudo launchctl load "${ZSCALER_TUNNEL}"
started=1
fi
# Wait 10s for the tunnel to come up
[ -n "${started:-}" ] && sleep 10
disable-zs¶
Unloads both daemons (tunnel first, service second).
use-zs-certs¶
Runs a command with the Zscaler root CA injected into the trust path. Useful for tools like Node, Python, and curl that don't read the system keychain by default.
Flow:
- If
~/.local/share/certificates/zscaler.pemexists, use it. - Otherwise, extract the Zscaler root CA from the system keychain via
security find-certificate -c "Zscaler Root CA" -pand cache it in~/.local/share/certificates/. - Export
ZSCALER_CERTIFICATEandNODE_EXTRA_CA_CERTSpointing at the cert. execthe command.
If no certificate is found anywhere, the command still runs — with a warning, but without the extra CA. You'll get TLS errors if Zscaler is intercepting; that's the signal to import the cert into your keychain.